b'  FEDERAL INFORMATION SECURITY\n     MANAGEMENT ACT REPORT\n\n\n                Evaluation of\n      Social Security Administration\'s\n             Compliance with the\nFederal Information Security Management Act\n\n\n\n\n                 A-14-03-13046\n\n\nSeptember 2003           James G. Huse, Jr. \xe2\x80\x93 Inspector General\n\x0c                                    Mission\nWe improve SSA programs and operations and protect them against fraud, waste,\nand abuse by conducting independent and objective audits, evaluations, and\ninvestigations. We provide timely, useful, and reliable information and advice to\nAdministration officials, the Congress, and the public.\n\n                                   Authority\nThe Inspector General Act created independent audit and investigative units,\ncalled the Office of Inspector General (OIG). The mission of the OIG, as spelled\nout in the Act, is to:\n\n   \xe2\x80\xa2   Conduct and supervise independent and objective audits and\n       investigations relating to agency programs and operations.\n   \xe2\x80\xa2   Promote economy, effectiveness, and efficiency within the agency.\n   \xe2\x80\xa2   Prevent and detect fraud, waste, and abuse in agency programs and\n       operations.\n   \xe2\x80\xa2   Review and make recommendations regarding existing and proposed\n       legislation and regulations relating to agency programs and operations.\n   \xe2\x80\xa2   Keep the agency head and the Congress fully and currently informed of\n       problems in agency programs and operations.\n\n  To ensure objectivity, the IG Act empowers the IG with:\n\n   \xe2\x80\xa2   Independence to determine what reviews to perform.\n   \xe2\x80\xa2   Access to all information necessary for the reviews.\n   \xe2\x80\xa2   Authority to publish findings and recommendations based on the reviews.\n\n                                     Vision\nBy conducting independent and objective audits, investigations, and evaluations,\nwe are agents of positive change striving for continuous improvement in the\nSocial Security Administration\'s programs, operations, and management and in\nour own office.\n\x0c                                                     DRAFT\n\n\n                                         SOCIAL SECURITY\nMEMORANDUM\n\nDate:   September 5, 2003                                                           Refer To:\n\nTo:     The Commissioner\n\nFrom: Inspector General\n\nSubject: Evaluation of Social Security Administration\xe2\x80\x99s Compliance with the Federal Information\n        Security Management Act (A-14-03-13046)\n\n\n        OBJECTIVE\n\n        Our objective was to determine if the Social Security Administration\xe2\x80\x99s (SSA) overall\n        security program and practices complied with the requirements of the Federal\n        Information Security Management Act of 2002 (FISMA).1 Our analysis includes an\n        evaluation of SSA\xe2\x80\x99s plan of action and milestones (POA&M) process.\n\n        SUMMARY OF RESULTS\n        During our Fiscal Year (FY) 2003 FISMA evaluation, we determined that SSA generally\n        met the FISMA requirements and has made improvements over the past year.\n        However, there are still opportunities for the Agency to strengthen its information\n        security program. To ensure full compliance with FISMA in the future, SSA needs to\n        address the following issues:\n\n            1. Not all system weaknesses and deficiencies were identified and reported and\n               SSA does not have a POA&M process that tracks all significant weaknesses as\n               specified in the OMB FISMA guidance.2 We recommend SSA develop and\n               implement an adequate process to identify, report, monitor, and resolve systems\n               and security related weaknesses through the POA&M process. This process\n               should include the ability to track all significant system weaknesses and to\n               validate that corrective actions remedied those weaknesses. See pages 4 and 5\n               for more detail.\n\n\n\n\n        1\n          Public Law 107-347, Title III, section 301.\n        2\n          Public Law 107-347, Title III, section 301, \xc2\xa7 3544 (b)(6), and OMB Memorandum M-03-19, Reporting\n        Instructions for the Federal Information Security Management Act and Updated Guidance on Quarterly IT\n        Security Reporting, August 6, 2003, Attachment C - section I.A.2, p. 20.\n\x0cPage 2 - The Commissioner\n\n    2. Not all programs, systems, and subsystems are identified and reported as\n       specified in the FISMA guidance.3 We recommend SSA identify all such\n       programs, systems and subsystems. See page 6 for more details.\n\n    3. SSA does not have a complete, coordinated, and fully tested continuity of\n       operations plan (COOP).4 We recommend SSA work with other organizations to\n       fully resolve this issue. See page 7 for more details.\n\n    4. The Office of Chief Information Officer (OCIO) does not have sufficient resources\n       to manage and monitor all IT security related activities to ensure compliance with\n       the Electronic Government (E-Government) Act of 2002.5 We recommend SSA\n       provide the OCIO with the necessary resources to manage all Information\n       Technology (IT) security related activities, which would enable the Agency to\n       comply with the E-Government Act of 2002. See page 8 for more details.\n\n    5. SSA does not adequately track and monitor all information security training.6 We\n       recommend SSA implement a system to track and monitor information security\n       training. See page 9 for more details.\n\n\nSCOPE AND METHODOLOGY\nFISMA directs each agency\xe2\x80\x99s Office of Inspector General (OIG) to perform an annual,\nindependent evaluation of the agency\xe2\x80\x99s information security program and practices, as\nwell as a review of an appropriate subset of agency systems.7 The SSA/OIG contracted\nwith PricewaterhouseCoopers LLP (PwC) to audit SSA\xe2\x80\x99s FY 2003 financial statements.\nBecause of the extensive internal control system work that is completed as part of that\naudit, our FISMA review requirements were incorporated into the PwC financial\nstatement audit contract. This audit included Federal Information System Control and\nAudit Manual-level reviews of SSA\xe2\x80\x99s mission critical sensitive systems. PwC performed\nan \xe2\x80\x9cagreed-upon procedures\xe2\x80\x9d engagement using FISMA, the Office of Management and\nBudget (OMB) Memorandum M-03-19, Reporting Instructions for the Federal\nInformation Security Management Act and Updated Guidance on Quarterly IT Security\nReporting, National Institute of Standards and Technology (NIST) guidance, and other\n\n3\n  Public Law 107-347, Title III, \xc2\xa7 3544 (b)(3), and OMB Memorandum M-03-19, Reporting Instructions for\nthe Federal Information Security Management Act and Updated Guidance on Quarterly IT Security\nReporting, August 6, 2003, Attachment B.I.A.2a, p. 11.\n4\n  Public Law 107-347, Title III, section 301, \xc2\xa7 3544 (b)(8), and OMB Memorandum M-03-19, Reporting\nInstructions for the Federal Information Security Management Act and Updated Guidance on Quarterly IT\nSecurity Reporting, August 6, 2003, Attachment A \xe2\x80\x93 section E, p. 7.\n5\n  Public Law 107-347, Title II, section 202 (f), and section 209, Title III section 301, \xc2\xa7 3544 (a)(3)(iv), and\nOMB Memorandum M-03-18, Implementation Guidance for the E-Government Act of 2002,\nAugust 1, 2003, p. 4.\n6\n  Public Law 107-347, Title III, section 301, \xc2\xa7 3544 (a)(4), and OMB Memorandum M-03-19, Reporting\nInstructions for the Federal Information Security Management Act and Updated Guidance on Quarterly IT\nSecurity Reporting, August 6, 2003, Attachment B.I.C.3, p. 15.\n7\n  Public Law 107-347, Title III, section 301, \xc2\xa7 3545 (b)(1).\n\x0cPage 3 - The Commissioner\n\nrelevant security laws and regulations as a framework to complete the OIG required\nreview of SSA\xe2\x80\x99s information security program and practices and its sensitive systems.\nPart of the field work included the completion of the NIST Security Self-Assessment\nGuide for Information Technology Systems8 (Self-Assessment).\n\nFISMA also requires that we evaluate the Agency\xe2\x80\x99s compliance with the President\xe2\x80\x99s\nManagement Agenda and determine whether the Agency has developed, implemented,\nand managed an agency-wide POA&M process.9\n\nThe results of our FISMA evaluation are based on the PwC FY 2003 FISMA Agreed-\nUpon Procedures report and working papers, various audits and evaluations performed\nby other contractors, PwC, and this office. We also reviewed the final draft of SSA\'s\nAnnual Security Program Review Federal Information Security Management Act\nFY 2003 report and the Agency\xe2\x80\x99s Independent Review of Information Technology\nSecurity Program Self-Assessment report.\n\nWe performed field work at SSA facilities nationwide from April through September\n2003. The evaluations were performed in accordance with generally accepted\ngovernment auditing standards.\n\nBACKGROUND AND CURRENT SECURITY STATUS\n\nFISMA requires agencies to create protective environments for their information\nsystems. It does so by creating a framework for annual IT security reviews, vulnerability\nreporting and remediation planning.10 Since 1997, SSA has had an internal controls\nreportable condition concerning its protection of information.11 The resolution of this\nreportable condition remains a priority for the Agency. SSA is working with the OIG and\nPwC to develop an approach to resolve this reportable condition and other issues\nincluding:\n\n\xc2\x83   physical access controls at non-Headquarters locations, including SSA\xe2\x80\x99s regional\n    offices, program service centers (PSC), and selected Disability Determination\n    Services (DDS);\n\n\xc2\x83   implementation and monitoring of technical security configuration standards\n    governing the systems housed in the National Computer Center and systems\n    housed off-site; and\n\n\xc2\x83   monitoring security violations and periodic review of user access.\n\n\n\n8\n  NIST Special Publication 800-26 Security Self-Assessment Guide for Information Technology Systems.\n9\n   See footnote 2.\n10\n    See footnote 2.\n11\n    SSA\xe2\x80\x99s FY 2002 Performance and Accountability Report, pp. 178-9.\n\x0cPage 4 - The Commissioner\n\nIn August 2001, the President\xe2\x80\x99s Management Agenda was initiated to improve the\nmanagement and performance of Government. The Agenda\xe2\x80\x99s guiding principles are\nthat Government services should be citizen-centered, results-oriented, and market\nbased. OMB developed a traffic light scorecard to show the progress agencies made:\ngreen for success, yellow for mixed results, and red for unsatisfactory. The expansion\nof E-Government services is one of the five government-wide initiatives assessed.\nSSA\xe2\x80\x99s current status is yellow and its score for progress in implementing E-Government\nservices is green. FISMA requires agencies to take a risk-based, cost-effective\napproach to securing their information and systems, and assists Federal agencies in\nmeeting their responsibilities under the President\xe2\x80\x99s Management Agenda. FISMA\nreauthorized the framework laid in the Government Information Security Reform Act12\n(GISRA), which expired in November 2002. In addition to the previous GISRA\nrequirements, FISMA authorizes NIST to development standards for Agency systems\nand security programs.13\n\nFISMA also requires agencies to prepare and submit POA&M reports for all programs\nand systems where an IT security weakness was found.14 The purpose of the POA&M\nis to assist agencies in identifying, assessing, prioritizing, and monitoring the progress\nof corrective efforts for reported security weaknesses. POA&M reports support the\neffective remediation of IT security weaknesses, which is essential to achieving a\nmature and sound IT security program and securing agency information and systems.\nFISMA now requires an OIG\xe2\x80\x99s evaluation of the agency\xe2\x80\x99s POA&M process;15 this\nevaluation is instrumental in enabling the agency to get to green under the expanding\nE-Government Scorecard of the President\xe2\x80\x99s Management Agenda.\n\nSSA HAS NOT REPORTED ALL SIGNIFICANT SYSTEM DEFICIENCIES\n\nIn its FY 2003 FISMA report, SSA did not report any material weaknesses. There are,\nhowever, numerous system-related deficiencies disclosed through OIG and contractor\naudits, which should be reported. FISMA guidance16 requires agencies to identify and\nreport all material weaknesses and indicate whether POA&Ms have been developed for\nthose weaknesses. Specifically, agencies are required to report any significant\ndeficiencies in a policy, procedure, or practice. However, SSA has only reported those\nmaterial weaknesses as defined under the Chief Financial Officers\xe2\x80\x9917 and Federal\nManagers\' Financial Integrity Acts.18 Based on FISMA reporting guidance,19 SSA\n12\n   Public Law 106-398.\n13\n   Public Law 107-347, Title III, section 301, \xc2\xa7 3543 (a)(3).\n14\n   See footnote 2.\n15\n   Public Law 107-347, Title III, section 301, \xc2\xa7 3544 (b)(6).\n16\n   OMB Memorandum M-03-19, Reporting Instructions for the Federal Information Security Management\nAct and Updated Guidance on Quarterly IT Security Reporting, August 6, 2003, Attachment A - section H,\np. 8.\n17\n   Public Law 101-576.\n18\n   Public Law 97-255.\n19\n   OMB Memorandum M-03-19, Reporting Instructions for the Federal Information Security Management\nAct and Updated Guidance on Quarterly IT Security Reporting, August 6, 2003, Attachment C - section\nI.A.2, p. 20.\n\x0cPage 5 - The Commissioner\n\nshould report all significant deficiencies in its security program and develop POA&Ms for\nthese deficiencies.\n\nSSA completed the NIST Self-Assessment as part of its review for FISMA FY 2003. In\nits Self-Assessment, SSA did not report any system weaknesses or deficiencies. In the\nOIG\xe2\x80\x99s FY 2003 completion of Self-Assessment Guide for SSA, numerous weaknesses\nor deficiencies were noted including:\n\n      \xc2\x83      Inconsistencies between Windows NT risk models and the actual settings found\n             on boxes in remote locations;\n\n      \xc2\x83      Lack of periodic access reviews including mainframe production data; and\n\n      \xc2\x83      Weaknesses in access controls over telecommunications hardware/facilities at\n             PSCs and DDSs.\n\nPresently, several components monitor and track open security and system related\nrecommendations from contractors, General Accounting Office (GAO), and OIG reviews\nand audits. SSA is currently developing a database to consolidate the system-related\nweaknesses tracked by those different components so that it can easily determine the\nstatus of and track the remediation of its total universe of weaknesses. SSA\xe2\x80\x99s Chief\nSecurity Officer (CSO) anticipates that the Agency\xe2\x80\x99s POA&M process will use this\ndatabase to identify and report on systems and security related deficiencies included in\nthis database by the end of FY 2004.\n\nAGENCY\xe2\x80\x99S PLAN OF ACTION AND MILESTONES PROCESS DOES\nNOT FULLY MEET FISMA REQUIREMENTS\nIn June 2003, SSA management reported only eight weaknesses in the most recent\nquarterly update of its POA&M report. However, OMB guidance20 requires that\nagencies also report, \xe2\x80\x9c\xe2\x80\xa6all security weaknesses found during any other review done by,\nfor, or on behalf of the agency, including GAO audits, financial systems audits, and\ncritical infrastructure vulnerability evaluations.\xe2\x80\x9d Based upon all OIG, GAO, PwC, and\ncontractor reviews and audits, there are additional weaknesses SSA should report.\nExamples of these weaknesses include the need to:\n\n      \xc2\x83      Improve coordination for continuity of operations plans between the IT team and\n             business operations;\n\n      \xc2\x83      Establish policy and procedures to automatically remove inactive user IDs; and\n\n      \xc2\x83      Ensure that all sensitive external transmissions are encrypted.\n\n\n\n20\n     Ibid.\n\x0cPage 6 - The Commissioner\n\nAccording to OMB guidance,21 Federal agencies must meet three criteria to get a score\nof green for security on the E-Government scorecard. Specifically, the OIG must\nprovide a positive assertion that the agency-wide POA&M process has been improved\nand includes a verifiable remediation process. For SSA to improve its current status on\ntheir E-Government scorecard to green, its POA&M process needs to be implemented.\nBased on our evaluation, SSA\xe2\x80\x99s current process for monitoring weaknesses is\ndecentralized and does not contain a method to verify remediation. SSA is in the\nprocess of building a new system related database that will meet those needs.\n\nSSA HAS NOT IDENTIFIED ALL PROGRAMS, SYSTEMS AND\nSUBSYSTEMS\n\nOMB guidance22 requires that all agencies identify all programs, systems and\nsubsystems, not just sensitive systems. Program officials and CIOs are responsible for\nreviewing the security of all programs and systems under their respective control. Such\nreviews are not adequate without a review of all systems supporting an agency\xe2\x80\x99s\nprograms.\n\nFor the past several years, SSA has not included all programs, systems and\nsubsystems in its Government Information Security Reform Act and FISMA reports.\nSSA\xe2\x80\x99s CSO, however, indicated that the Agency is in the process of developing a\ncomplete inventory of applications that support the Agency. The draft documentation\nshows a more comprehensive approach to identifying what applications are supported\nunder the 17 sensitive systems certified annually. The Agency indicated that the project\nis scheduled to be completed during FY 2004. Once this list is complete, we will be\nable to determine whether all programs, system and sub-systems were appropriately\nreviewed.\n\n\n\n\n21\n    OMB Memorandum M-03-19, Reporting Instructions for the Federal Information Security Management\nAct and Updated Guidance on Quarterly IT Security Reporting, August 6, 2003, Attachment B - section\nII.B, p. 18.\n22\n    OMB Memorandum M-03-19, Reporting Instructions for the Federal Information Security Management\nAct and Updated Guidance on Quarterly IT Security Reporting, August 6, 2003, Attachment B.I.A, A.2a,\np. 11.\n\x0cPage 7 - The Commissioner\n\nSSA NEEDS TO COMPLETE ITS CONTINUITY OF OPERATION PLANS\n\nSSA has not fully completed, coordinated, and tested its COOP. FISMA23 codifies a\nlongstanding policy requirement that each agency\xe2\x80\x99s security program and security plan\ninclude the provision for a COOP for information systems that support the operations\nand assets of the agency. FISMA guidance24 explicitly includes, in this requirement,\ninformation and information systems \xe2\x80\x9c\xe2\x80\xa6provided or managed by another agency,\ncontractor, or other source.\xe2\x80\x9d \xe2\x80\xa6For the purposes of agency implementation, \xe2\x80\x9cother\nsource\xe2\x80\x9d has the same meaning as \xe2\x80\x9cother organization on behalf of an agency\xe2\x80\x9d\ndiscussed above.\xe2\x80\x9d\n\nSSA continues to improve its COOP for the entire Agency, but there are still some\ndeficiencies and weaknesses. The COOP for mission critical systems is being\ndeveloped, but is not completed. The COOP has not been tested and does not address\ninformation and information systems provided or managed by another agency,\ncontractor or other source. SSA relies heavily upon other Federal and State\ngovernment agencies such as State DDSs and the Department of Treasury but SSA is\nuncertain as to the availability of these agencies in the event of a disaster. Our audits\nhave repeatedly shown that DDSs do not have adequate COOPs. The DDSs do not\nidentify resources needed to maintain critical operations in the event of a disaster.\nGenerally, we found that DDS COOPs have not been tested.\n\nAs another example, without Treasury\xe2\x80\x99s Financial Management Services (FMS), all\nSupplemental Security Insurance (SSI) payments would cease. FMS has mitigation\nefforts in place to help ensure that SSI recipients would receive their payments.\nHowever, the Treasury\xe2\x80\x99s FY 2002 Financial Statement report25 includes service\ncontinuity as a material weakness. Specifically the report states that several significant\ndeficiencies, including insufficient planning and testing, could impair timely restoration of\nmission critical systems, including the payment systems.26 Without coordinating its\nplans with other organizations, SSA\xe2\x80\x99s ability to perform its mission in the event of a\ndisaster could be greatly diminished.\n\n\n\n\n23\n   Public Law 107-347(\xc2\xa7 3544(b)(8)).\n24\n   OMB Memorandum M-03-19, Reporting Instructions for the Federal Information Security Management\nAct and Updated Guidance on Quarterly IT Security Reporting, August 6, 2003, Attachment A \xe2\x80\x93 section\nE, p. 7.\n25\n   Treasury\xe2\x80\x99s FY 2002 and 2001 Financial Statements (OIG-03-014).\n26\n   Audit of FMS\xe2\x80\x99 FY 2002 and 2001 Schedules of Non-Entity Government-Wide Cash (OIG-03-039).\n\x0cPage 8 - The Commissioner\n\nSSA\xe2\x80\x99S OCIO\xe2\x80\x99S RESPONSIBILITIES AND AUTHORITY NEEDS\nIMPROVEMENT TO FULLY COMPLY WITH THE E-GOVERNMENT ACT\n\nPreviously, we reported27 weaknesses in SSA\xe2\x80\x99s security management structure and\nrecommended a number of improvements including the creation of the OCIO. These\nrecommendations were made to ensure that SSA complied with the requirements of the\nComputer Security Act of 1987,28 GISRA, and the Clinger-Cohen Act of 1996.29 Based\non our recommendations, SSA created the OCIO, which restructured the information\nsecurity program.\n\nSince that report, Congress has established a wide statutory framework for IT. The\nE-Government Act of 2002 enhances this framework. This Act requires each Federal\nagency to follow information resource management policies and guidance established\nby OMB and developed by NIST.30 According to OMB guidance,31 agency Chief\nInformation Officers (CIOs) must monitor their agency\xe2\x80\x99s implementation of IT standards\ndeveloped by NIST. These standards include guidelines for the connection and\noperations between systems, categorization of Federal Government electronic\ninformation, and computer system efficiency and security.\n\nFISMA requires that each Federal agency CIO head an office with the mission and\nnecessary resources to ensure the agency compliance with the regulation.32 Currently,\nSSA\xe2\x80\x99s CSO reports directly to the CIO. The CSO has a small staff that is responsible\nfor directing and managing the Agency\xe2\x80\x99s enterprise information technology security\nprogram. The CSO establishes agency-wide security policies and manages the\nreporting and monitoring processes to ensure compliance. This is accomplished using\na network of people in various locations throughout the Agency. For example, security\npolicy is developed by one component and implemented by SSA\xe2\x80\x99s systems in another\ncomponent. The CSO must coordinate activities with the various individuals with no\ndirect reporting from these components. This decentralization and small staff inhibit the\nefficiency of the process.\n\nWe reviewed a number of Federal agencies\xe2\x80\x99 organizational structure and found that\nnumerous CIOs were responsible for virtually all IT operations, including security\nactivities. For example, within the United States Department of Health and Human\nServices (HHS), the CIO\'s office is located in the Office of Information Resources\nManagement. The HHS CIO serves as the primary IT leader for the HHS and is\nresponsible for developing an IT plan that lays out the Secretary\'s vision for enterprise\narchitecture, consolidated systems, and strong IT security. Our review of the\n\n27\n   OIG report, Compliance of the Social Security Administration\xe2\x80\x99s Computer Security Program with\nApplicable Laws and Regulations, June 2001 (A-13-98-12044).\n28\n   Public Law 100-235.\n29\n   Public Law 104-106.\n30\n   Public Law 107-347, Title II, section 202 (a)(1).\n31\n   OMB Memorandum M-03-18, Implementation Guidance for the E-Government Act of 2002,\nAugust 1, 2003, p. 4.\n32\n   Public Law 107-347, Title III \xc2\xa7 3544 (a)(3)(iv).\n\x0cPage 9 - The Commissioner\n\nDepartment of Veterans Affairs (VA) CIO office structure found that the VA CIO is also\nthe Assistant Secretary for Information and Technology. The VA CIO manages the\nOffice of Information and Technology which is responsible for a variety of functions\nincluding integrated business and IT planning, security and contingency planning,\nmanaging VA\'s wide area data communications network, and protecting information and\nprivacy across VA\'s systems and networks. For SSA to be in full compliance with the\nE-Government Act, SSA\xe2\x80\x99s OCIO needs sufficient resources to ensure that it can\nmanage and monitor all IT security related activities.\n\n\nSSA NEEDS TO DEVELOP AN INFORMATION SECURITY TRAINING\nSYSTEM\n\nAccording to OMB guidance,33 agency CIO\xe2\x80\x99s should ensure that an appropriate IT\nsecurity training program is established and operational. FISMA requires that agencies\nreport on information security training provided employees during the reporting period.\nWe found that SSA provides specialized security training for those employees with\nextensive security responsibilities and security awareness training for other employees\nto perform their normal duties. However, SSA does not have a system in place that can\naccurately track what IT security training was provided to which employees, when the\ntraining was provided, and the cost of the training that was provided. To comply with\nFISMA reporting requirements, the Agency requested security training information from\nall components. Three components, comprising approximately 25 percent of the\nAgency\xe2\x80\x99s employee population, did not provide data that the Agency needed for FISMA\nreporting. Additionally, a number of components provided information on training\ncourses that contained little or no security content. SSA has been trying to develop a\ntraining system to track security training for 3 years. The system is still not\nimplemented. When the system is implemented, it will greatly enhance SSA\xe2\x80\x99s ability to\nmanage an adequate, efficient information system security training program.\n\n\nCONCLUSIONS and RECOMMENDATIONS\nDuring our FY 2003 FISMA evaluation, we determined that SSA generally met the\nrequirements of FISMA. SSA has developed and implemented a wide range of security\npolicies, plans, and practices to safeguard its systems, operations, and assets. Over\nthe years, SSA has created its OCIO, established a Critical Infrastructure Protection\nworkgroup to oversee compliance with Presidential Decision Directive 63,34 and\nimplemented an incident response team.\n\n\n33\n   Implementation Guidance for the E-Government Act of 2002, M-03-18, August 1, 2003, p. 4 and OMB\nMemorandum M-03-19, Reporting Instructions for the Federal Information Security Management Act and\nUpdated Guidance on Quarterly IT Security Reporting, August 6, 2003, Attachment B.I.C.3, p. 15.\n34\n   The Clinton Administration\xe2\x80\x99s Policy on Critical Infrastructure Protection: Presidential Decision Directive\n63, May 22, 1998.\n\x0cPage 10 - The Commissioner\n\nTo fully comply with FISMA and other information security related laws and regulations\nin the future, we recommend SSA:\n\n1. Continue to develop a system to identify, track and report the resolution of all\n   significant system deficiencies that can be used to create and monitor POA&M.\n\n2. Clearly document and identify all programs, systems and subsystems to ensure they\n   are reported and reviewed in compliance with FISMA.\n\n3. Continue to develop and implement a complete and coordinated COOP for the\n   Agency which is tested on a regular basis.\n\n4. Provide sufficient resources to permit the OCIO to ensure SSA is in full compliance\n   with the E-Government Act.\n\n5. Continue to develop and implement an IT security training tracking and monitoring\n   system.\n\n\n\n\n                                        James G. Huse, Jr.\n\x0c                                   Addendum\n   Office of the Inspector General\xe2\x80\x99s Detailed Report\n on the Social Security Administration\xe2\x80\x99s Compliance\nwith the Federal Information Security Management Act\n\x0c               FY 2003 Completed OMB FISMA Reporting Worksheets for SSA\nA.2a1. Identify the total number of programs and systems in the Agency, the total number of systems and programs\nreviewed by the program officials and Chief Information Officers (CIOs) in Fiscal Year (FY) 03, the total number of\ncontractor operations or facilities, and the number of contractor operations or facilities reviewed in FY03.\nAdditionally, Inspectors General (IGs) shall also identify the total number of programs, systems, and contractor\noperations or facilities that they evaluated in FY03.\n                                                                                             FY03 Contractor Operations\n                                                      FY03 Programs       FY03 Systems              or Facilities\n                                                    Total     Number      Total   Number      Total\nBureau Name                                        Number Reviewed Number Reviewed Number Number Reviewed\nSSA                                                    1         1         17        17        16            16\nAgency Total                                           1         1         17        17        16            16\nb. For operations and assets under their control,          Yes                  Yes           Yes           Yes\nhave Agency program officials and the Agency\nCIO used appropriate methods (e.g., audits or\ninspections) to ensure that contractor provided\nservices or services provided by another Agency\nfor their program and systems are adequately\nsecure and meet the requirements of Federal\nInformation Security Management Act (FISMA),\nOffice of Management and Budget (OMB) policy\nand National Institute of Standards and\nTechnology (NIST) guidelines, national security\npolicy, and Agency policy?\nc. If yes, what methods are used? If no, please   Audits, evaluations and assessments were completed by the Office of\nexplain why.                                      the Inspector General (OIG), General Accounting Office (GAO), and\n                                                  other audit contractors. Evaluations and surveys performed by Office of\n                                                  Protective Security Services and SEI.\nd. Did the Agency use the NIST Self-Assessment Social Security Administration (SSA) completed the NIST Self-\nGuide to conduct its reviews?                     Assessment Guide for all 17 sensitive systems. However, the OIG\n                                                  found that the Assessment completed by the Agency did not include all\n                                                  system related findings. See Note 1\ne. If the Agency did not use the NIST Self-       SSA used the NIST Self-Assessment Guide for all 17 sensitive\nAssessment Guide and instead used an Agency-\n                                                  systems.\ndeveloped methodology, please confirm that all\nelements of the NIST Guide were addressed in\nthe Agency methodology.\nf. Provide a brief update on the Agency\'s work to See Note 2\ndevelop an inventory of major Information\nTechnology (IT) systems.\n\n\n\n\n        1\n            Per OMB Guidance, question A.1. only completed by the Agency.\n\n\n        OIG\xe2\x80\x99s Detailed Report on SSA\xe2\x80\x99s Compliance with FISMA (A-14-03-13046)                               1\n\x0cOIG performed or participated in 71 different audits at SSA or contractor locations. These locations included SSA (38),\nDisability Determination Service (17), Representative Payee (7), Consulting Physicians for Disability Exams (2), OIG (2), Data\nMatching with Foreign Countries (1), State Bureau of Vital Statistics (1), States (1), Texas Workers Compensation (1), and\nWage Reporting (1). As part of the financial statement audit, PricewaterhouseCoopers LLP (PwC) tested the following\napplications for the OIG during FY 2003 \xe2\x80\x93 Cost Accounting System, Death Alert Control & Update System, Earnings Records\nMaintenance System, Financial Accounting System, Integrated Client Database, Modernized Enumeration System,\nModernized Claims System, Retirement, Survivors & Disability Insurance Accounting System, Retirement, Survivors &\nDisability Insurance Post Entitlement System, Manual Adjustment, Credit, & Award Processes, Debt Management System,\nModernized Supplemental Security Income Claims System, Supplemental Security Income Records Maintenance System,\nComprehensive Integrity Review Process, Office of Quality Assurance/Pre-effectuation Review, Property Accountability\nSystem, Internet Social Security Benefit Application, and FALCON Date Entry System. The audits were completed using\nFederal Information System Control Audit Manual standards and Generally Accepted Government Auditing Standards.\nNote 1: The Agency, OIG, and GAO completed or directed completion of multiple audits at vendor and contractor locations \xe2\x80\x93\nas documented in A2. The audit plans may or may not address all elements of the NIST Self-Assessment based on the\nscope and expectations of the review or assessment being accomplished.\nNote 2: The Agency is in the process of developing a complete inventory of applications that support the Agency. The\ninformation is in draft at this time and not ready for release but shows a more comprehensive approach to identifying what\napplications are supported under the 17 Sensitive Systems that are certified annually. Currently, there were 43 additional\ndifferent applications that have been initially identified. The project is scheduled to be completed during FY2004.\n\n\n\n\n         OIG\xe2\x80\x99s Detailed Report on SSA\xe2\x80\x99s Compliance with FISMA (A-14-03-13046)                                  2\n\x0cA.3. Identify all material weakness in policies, procedures, or practices as identified and required to be\nreported under existing law in FY03. Identify the number of material weaknesses repeated from FY02,\ndescribe each material weakness, and indicate whether plans of action and milestones (POA&Ms) have\nbeen developed for all of the material weaknesses.\n                                                        FY03 Material Weaknesses\n                                                Total Number                                      POA&Ms\n                                    Total                      Identify and Describe Each\n                                                Repeated from                                    developed?\nBureau Name                        Number                           Material Weakness\n                                                    FY02                                            Y/N\nSSA                                   0          See Note 1             See Note 1                  Yes\nAgency Total                          0\n\n\nNote 1: There were 3 POA&Ms carried over from FY2002. Status on all three, as of 7/3/03 was "Ongoing".\nEach issue had multiple parts/milestones identified that needed to be resolved before the entire issue could be\nclosed. For issue FY02.1 there were 2 sub-tasks identified, FY02.3 - 1 sub-task, FY02.4 - 5 sub-tasks. FY02.1\nsubtasks noted the tasks would be completed by end of Calendar Year (CY) 04 with full resolution expected\nduring FY04. FY02.3 indicated no change but referred to a sub-task in FY02.1 that was scheduled to be\ncompleted by end of CY04. FY02.4 sub-tasks status indicated completion in Quarter (Q) 4 FY03, end of July\n2003, end of 2003, Q4 FY03, end of CY03 respectively.\n\nThe OIG found that SSA does not have POA&Ms for all weaknesses. For example, the OIG\xe2\x80\x99s management\ninformation system shows 40 system and security related weaknesses that may require POA&Ms to be\ndeveloped.\n\n\n\n\nOIG\xe2\x80\x99s Detailed Report on SSA\xe2\x80\x99s Compliance with FISMA (A-14-03-13046)                                  3\n\x0cA.4. This question is for IGs only. Please assess whether the agency\nhas developed, implemented, and is managing an agency-wide plan of\naction and milestone process that meets the criteria below. Where\nappropriate, please include additional explanation in the column next\nto each criteria.                                                                  Yes              No\nAgency program officials develop, implement, and manage POA&Ms for                              See Note 1\nevery system that they own and operate (systems that support their\nprograms) that has an IT security weakness.\n                                                                              Yes - POA&Ms\nAgency program officials report to the CIO on a regular basis (at least        are created\nquarterly) on their remediation progress.                                       quarterly.\nAgency CIO develops, implements, and manages POA&Ms for every system                           See Note 1\nthat they own and operate (systems that support their programs) that has an\nIT security weakness.\nThe agency CIO centrally tracks and maintains all POA&M activities on at            Yes\nleast a quarterly basis.\nThe POA&M is the authoritative agency and IG management tool to identify                      No - See Note\nand monitor agency actions for correcting information and IT security                               2\nweaknesses.\nSystem-level POA&Ms are tied directly to the system budget request through          Yes\nthe IT business case as required in OMB budget guidance (Circular A-11) to\ntie the justification for IT security funds to the budget process.\nAgency IGs are an integral part of the POA&M process and have access to                        See Note 3\nagency POA&Ms.\nThe agency\'s POA&M process represents a prioritization of agency IT          Yes (see Note 1)\nsecurity weaknesses that ensures that significant IT security weaknesses are\naddressed in a timely manner and receive, where necessary, appropriate\nresources.\n\nNote 1: The Agency has an undocumented practice in place to develop POA&Ms based on systems and\nsecurity issues identified from audits, assessments, and evaluations. SSA is developing a single database that\nOffice of System Security Operations Management (OSSOM) will maintain and administer under the guidance\nof Chief Security Officer (CSO). SSA expects to complete the tracking system and database within the next\nfew months. Once complete, the application will be used to develop the POA&M report.\nNote 2: The POA&M development process is limited to those issues that the CIO deems appropriate. The\nAgency has other systems and processes in place to track the issues noted during audits, assessments, and\nevaluations. The Agency makes its own determination when these issues have been resolved.\nNote 3: To date, the OIG has not been sent the POA&Ms on a regular basis. The OIG is working with the\nOffice of the Chief Information Officer (OCIO) to improve coordination and reporting under the POA&M process.\n\n\n\n\nOIG\xe2\x80\x99s Detailed Report on SSA\xe2\x80\x99s Compliance with FISMA (A-14-03-13046)                                4\n\x0cB.1. Identify and describe any specific steps taken    SSA established the OCIO on July 11, 2002 for the\nby the agency head to clearly and unambiguously        CSO function, and was signed by SSA\xe2\x80\x99s Commissioner\nset forth FISMA\'s responsibilities and authorities     on July 1, 2002. The OCIO includes a separate sub-\nfor the agency CIO and program officials.              office for IT Systems Review and another for IT\nSpecifically how are such steps implemented and        Security Policy. These steps are largely implemented\nenforced?                                              through the Information System Security Handbook.\n                                                       Enforcement of the policy comes from reviews of\n                                                       practices through Agency, contractor, and OIG reviews\n                                                       and audits.\nB.2. Can a major operating component of the            No - SSA policy requires such projects and investment\nagency make an IT investment decision without          requests to be approved by the CIO as part of the\nreview by and concurrence of the agency CIO?           budget process.\nB.3. How does the head of the agency ensure that SSA\xe2\x80\x99s System Development Life Cycle (SDLC)\nthe agency\xe2\x80\x99s information security plan is practiced methodology in place (Project Resource Guide)\nthroughout the life cycle of each agency system? includes a security component in each stage of any\n                                                       given project throughout its development and\n                                                       implementation (including system changes). A review\n                                                       of security practices and security controls is included\n                                                       as part of the annual Sensitive Systems Accreditation\n                                                       and Certification process. The annual certifications\n                                                       and accreditations represent specific steps taken to\n                                                       ensure security plans for sensitive and mission-critical\n                                                       systems are up-to-date and practiced throughout the\n                                                       systems life cycle\nB.4. During the reporting period, did the agency       Yes \xe2\x80\x93 The Agency oversees performance through the\nhead take any specific and direct actions to           use of audits and reviews by contractors, GAO, and\noversee the performance of 1) agency program           OIG.\nofficials and 2) the CIO to verify that such officials\nare ensuring that security plans are up-to-date and\npracticed throughout the lifecycle of each system?\nPlease Describe.\nB.5. Has the agency integrated its information and Yes \xe2\x80\x93 SSA has integrated its information security\ninformation technology security program with its       program with its critical infrastructure protection (CIP)\ncritical infrastructure protection responsibilities    responsibilities and other security programs. SSA\xe2\x80\x99s\nand other security programs (e.g., continuity of       CIP workgroup consists of various security personnel\noperations, and physical and operational security)? within the Agency that address physical security,\nPlease Describe.                                       continuity of operations, and information systems\n                                                       security.\nB.6. Does the agency have separate staffs devoted Yes - Agency views all its security activities as falling\nto other security programs, are such programs          under a single security program supported by the entire\nunder the authority of different agency officials, if organization. Different security components are placed\nso what specific efforts have been taken by the        throughout the Agency. The components have indirect\nagency head or other officials to eliminate            reporting links to the CSO\xe2\x80\x99s office (which is considered\nunnecessary duplication of overhead costs and          the primary security component). Security components\nensure that policies and procedures are consistent are allocated as needed and appropriate to minimize\nand complimentary across the various programs          the possibility of duplication of effort.\nand disciplines?\n\n\n\n\nOIG\xe2\x80\x99s Detailed Report on SSA\xe2\x80\x99s Compliance with FISMA (A-14-03-13046)                                  5\n\x0cB.7. Identification of agency\xe2\x80\x99s critical operations and assets (both national critical operations and\nassets and mission critical) and the interdependencies and interrelationships of those operations and\nassets\na. Has the agency fully identified its national critical operations and assets?              Yes\nb. Has the agency fully identified the interdependencies and                             In process.\ninterrelationships of those nationally critical operations and assets?\nc. Has the agency fully identified its mission critical operations and assets?               Yes\nd. Has the agency fully identified the interdependencies and                             In process\ninterrelationships of those mission critical operations and assets?\ne. If yes, describe the steps the agency has taken as a result of the review.              Note 1\nf. If no, please explain why.                                                                  N/A\nNote 1: The Agency has identified eight critical assets as part of the Project Matrix Step One, and has\ncompleted vulnerability assessment for seven of the eight assets. Project Matrix Step Two reviews have been\ncompleted for five of the eight critical assets by the OIG and the Chief Infrastructure Assurance Office. Step\nTwo review of one asset is in the draft report stage and the Step Two review of the last two assets is in the\nfieldwork stage.\n\n\n\n\nOIG\xe2\x80\x99s Detailed Report on SSA\xe2\x80\x99s Compliance with FISMA (A-14-03-13046)                                  6\n\x0cB.8. How does the agency head ensure that the agency, including all components, has documented\nprocedures for reporting security incidents and sharing information regarding common vulnerabilities?\na. Identify and describe the procedures for external reporting to law                           Note 1\nenforcement authorities and to the Federal Computer Incident Response\nCenter (FedCIRC).\nb. Total number of agency components or bureaus.                                                 1,500\nc. Number of agency components with incident handling and response                                2\ncapability.                                                                                     Note 1\nd. Number of agency components that report to FedCIRC.                                            1\ne. Does the agency and its major components share incident information                            Yes\nwith FedCIRC in a timely manner consistent with FedCIRC and OMB\nguidance?\nf. What is the required average time to report to the agency and FedCIRC                  Immediately after a\nfollowing an incident?                                                                  reportable incident has\n                                                                                            been identified\ng. How does the agency, including the programs within major components,                         Note 2\nconfirm that patches have been tested and installed in a timely manner?\n\nh. Is the agency a member of the Patch Authentication and Distribution                            Yes\nCapability operated by FedCIRC?\n\ni. If yes, how many active users does the agency have for this service?               1 - SSA component Office\n                                                                                      of Telecommunication and\n                                                                                         Systems Operations\n                                                                                               (OTSO)\nj. Has the agency developed and complied with specific configuration                            Note 3\nrequirements that meet their own needs?\n\nk. Do these configuration requirements address patching of security                             Note 3\nvulnerabilities?\n\n\n\nNote 1: Although OTSO identifies incidents through the Incident Response Checklist and also communicates\nthe monthly status to FedCIRC, OIG has primary responsibility to communicate such incidents to appropriate\nlaw enforcement agencies when necessary.\n\nNote 2: OTSO has subscribed to the FedCIRC patch program but it is still in the initial implementation stage.\nSystem Software and Change Control testing in the National Computer Center accomplished in prior years\nnoted that the Agency has a robust problem identification, validation, and implementation process that include\nidentifying patches from multiple software vendor sites and then testing them in phases until fully confident that\nthey resolve the problem intended. This process has been implemented to ensure that the Agency identifies\npatches that address weaknesses that may pose a threat to the Agency\'s ability to maintain a safe, sound, and\nsecure server-based environment.\nNote 3: The Agency has developed configuration standards for the AS/400, UNIX, NT, and Windows operating\nenvironments. There has not been a standard developed for any other operating environment that may be in\nuse by ancillary locations or offices. There is an automated process in place that includes polling the AS/400\'s\nin field locations and identifying configuration anomalies and then decides whether to resolve or waive any\ndiscrepancies. If a weakness is identified that requires installation of a patch to resolve that weakness, the\npatch will be implemented across all appropriate domains.\n\n\n\n\nOIG\xe2\x80\x99s Detailed Report on SSA\xe2\x80\x99s Compliance with FISMA (A-14-03-13046)                                     7\n\x0cB.9. Identify by bureau, the number of incidents (e.g., successful and unsuccessful network\npenetrations, root or user account compromises, denial of service attacks, website defacing attacks,\nmalicious code and virus, probes and scans, password access) reported and those reported to\nFedCIRC or law enforcement.\n                    Number of incidents    Number of incidents reported   Number of incidents reported\n  Bureau Name\n                          reported           externally to FedCIRC        externally to law enforcement\n       SSA                  None                      None                             None\n\n\n\n\nOIG\xe2\x80\x99s Detailed Report on SSA\xe2\x80\x99s Compliance with FISMA (A-14-03-13046)                            8\n\x0cC.1. Have agency program officials and the agency CIO: 1) assessed the risk to operations and assets under their\ncontrol; 2) determined the level of security appropriate to protect such operations and assets;\n3) maintained an up-to-date security plan (that is practiced throughout the life cycle) for each system supporting\nthe operations and assets under their control; and 4) tested and evaluated security controls and techniques? By\neach major agency component and aggregated into an agency total, identify actual performance in FY03 according\nto the measures and in the format provided below for the number and percentage of total systems.\n                                                           f. Number\n                                                                                         g.\n                                                                 of\n                                          d.                                       Number of\n                                                             systems\n                                       Number                                        systems\n                                                                with                                     i. Number of\n                      c. Number of        of    e. Number                           for which h. Number\n                                                             security                                     systems for\n                    systems assessed systems of systems                              security of systems\n                                                              control                                        which\n                       for risk and   that have certified                            controls    with a\n                                                               costs                                     contingency\n                     assigned a level an up-to-     and                            have been contingency\n                                                           integrated                                      plans have\n                          or risk       date IT accredited                         tested and     plan\n                                                             into the                                     been tested\n                                       security                                     evaluated\n                                                            life cycle\n                                         plan                                       in the last\n                                                               of the\n                                                                                       year\n           b. Total                                           system\na. Bureau Number of No. of       % of\n  Name     Systems Systems Systems No. % No.           %   No. %                    No.    %     No.     %    No.        %\n\n   SSA        17       17        100  17 100 17       100 17 100                     17   100    16    94.1    14       82.4\n Agency\n              17       17        100  17 100 17       100 17 100                     17   100    16    94.1    14       82.4\n   Total\n\nSSA\xe2\x80\x99s annual system accreditations and certifications assess the risk to operations and assets under its control and\ndetermines the level of security required to protect these assets and their operations. (See Addendum I ) According to SSA\nthere are only 17 systems; however, this does not include all subsystems as required by FISMA.\n\nAccording to the Federal Guidelines followed for the performance of the annual accreditations and certifications, each\ndivision or unit with responsibility for a specific sensitive system asserts that the reviews are performed in accordance with\nthe guidance provided in NIST Special Publication 800-18 and Appendix III of OMB Circular A-130. While the accreditation\nassessment reports note few specific system weaknesses, they do refer to related audit reports containing identified control\nand security weaknesses.\n\nAdditionally, the SSA has identified its critical assets as part of the CIP process and performed assessments of risks for\nthese assets (6 of 8) as noted in step B.4 above, to identify controls needed and levels of risk associated with the critical\nassets identified by the CIP. The results of these assessments are to be used to determine the level of security needed to\nprotect these assets.\n\nThe Agency considers security in each stage of the systems development life cycle (SDLC), including system changes.\nThis is also documented in the SDLC procedures for changes to SSA systems. Management further asserted that the\nreview of security practices and security controls is performed as part of the annual sensitive system accreditation and\ncertification. These annual reviews represent specific steps taken to ensure that security plans are up-to-date and continue\nto be practiced throughout the life cycle of each system and represent how management has maintained an up-to-date\nsecurity plan for their systems. Management used outside contractors to perform independent reviews, assessments, and\nevaluations during FY 2003 to test and evaluate security controls and techniques. These assessments were undertaken for\ncritical assets and are considered by the Agency to be outside of the normal audit schedule as accomplished in other\ndivisions and operating units. These assessments were undertaken based on management\'s decision to obtain a different\nlevel of confirmation as to where security weaknesses may exist in the core environments.\n\n\n\n\n          OIG\xe2\x80\x99s Detailed Report on SSA\xe2\x80\x99s Compliance with FISMA (A-14-03-13046)                                      9\n\x0cAccording to SSA, two of the three systems that have not had their contingency plans tested, the Comprehensive Integrity\nReview Program (CIRP) and the Audit Tracking System (ATS), are deemed to be non-critical and, as such, are not required\nto be recovered immediately after a disaster. The third system\xe2\x80\x94the LOGIPLEX building access system\xe2\x80\x94has not been\ntested because in the event of a disaster an alternate access system, will be utilized at the recovery center. The critical\nsub-component of the Human Resources Management Information System (HRMIS), which is payroll, was tested as part of\nthe disaster recovery exercise.\n\n\n\n\n         OIG\xe2\x80\x99s Detailed Report on SSA\xe2\x80\x99s Compliance with FISMA (A-14-03-13046)                                  10\n\x0cC.2. Identify whether the agency CIO has adequately maintained an agency-wide IT security program and ensured\nthe effective implementation of the program and evaluated the performance of major agency components.\n\n                                                                    Has the agency CIO\nHas the agency CIO Did the CIO evaluate           How does the\n                                                                     appointed a senior       Do agency POA&Ms account for\n   maintained an   the performance of all      agency CIO ensure\n                                                                    agency information           all known agency security\n  agency-wide IT          agency              that bureaus comply\n                                                                   security officer per the      weaknesses including all\n security program? bureaus/components?        with the agency-wide\n                                                                      requirements in                   components?\n        Y/N                 Y/N               IT security program?\n                                                                          FISMA?\n        Yes              Yes - The CIO and Through the OSCAR                 Yes              No. See Note 2 & See A2 and\n                        CSO use reports from and independent                                  A3 for documentation pertaining\n                         independent audits reviews process that                              to POA&Ms and issue tracking.\n                          and the OSCAR2        periodically occur\n                         reviews to assist in throughout the year.\n                              evaluating\n                        performance \xe2\x80\x93 (Also\n                            See Note 1).\n\nNote 1: The CIO is included in the process that ensures that Agency management is made aware of the audits that are\nperformed at and for the Agency. The process ensures that the CIO through the CSO is notified on issue resolution at least\nquarterly. The CIO through the CSO and OSSOM tracks components that do not complete their assessments within the\nprevious FY. FISMA requires the agency CIOs monitor their agency\xe2\x80\x99s implementation of IT standards developed by NIST.\nAt SSA, the CIO has indirect authority over security policy development and implementation. The components in charge of\nthose activities exist in other components and are ultimately responsible to other Deputy Commissioners. OSSOM\nimplements security policy and is part of the Office of Financial Assessment and Management and reports to the Deputy\nCommissioner of Finance, Assessment and Management. OTSO, which implements and monitors security policy, is part of\nthe Office of Systems and reports to the Deputy Commissioner of Systems. Finally, FISMA requires that each Federal\nagency CIO head an office with the mission and necessary resources to ensure the agency compliance with the regulation.\nThe CSO works within the office to oversee the security program, but only has a staff of three people.\nNote 2: SSA develops POA&Ms based primarily on how divisions address open issues and whether or not there has been\nany priority to resolve them. The Agency uses other processes to log, track, and resolve issues noted during assessments.\nThere is no centralized database to ensure that all systems and security related issues are addressed and included in\nPOA&M.\n\n\n\n\n         2\n             Onsite Security Control and Audit Review.\n\n\n         OIG\xe2\x80\x99s Detailed Report on SSA\xe2\x80\x99s Compliance with FISMA (A-14-03-13046)                                     11\n\x0cC.3. Has the agency CIO ensured security training and awareness of all agency employees, including\ncontractors and those employees with significant IT security responsibilities?\n                                   Total number of Agency employees with\n   Total                               agency          significant security\nnumber of Agency employees that employees with        responsibilities that\n  agency      received IT security  significant IT   received specialized Briefly describe Total costs for\nemployees       training in FY03       security              training           training          providing\n in FY03     Number Percentage     responsibilities Number Percentage           provided      training in FY03\n                                                                                  SSA\n                                                                             management\n64,116 (as    63,700        99.4%        292                                                      $374,979\n                                                       223          76%     maintains a list\nof 8/18/03) See Note 1 See Note 1                                                                See Note 3\n                                                                            of course titles.\n                                                                              See Note 2\n\nNote 1: The figure reported is based upon the number of employees who reviewed and signed their annual\nsanctions awareness form.\nNote 2: Some of the courses reviewed did not appear to be dedicated to IT security. SSA tried to estimate how\nmany of the courses related to IT security.\n\nNote 3: The Agency does not have a central system for tracking security training costs. The Agency requested\neach component provide information on the number of people and the expense of the IT security training. SSA is\ncurrently developing a database that will centrally compile and track security training. Of the components that\nreported security training in FY 2003, the total costs were $374,979.\n\n\n\n\n OIG\xe2\x80\x99s Detailed Report on SSA\xe2\x80\x99s Compliance with FISMA (A-14-03-13046)                                 12\n\x0cC.4. Has the agency CIO fully integrated security into the agency\xe2\x80\x99s capital planning and investment\ncontrol process? Were IT security requirements and costs reported on every FY05 business case (as\nwell as in the exhibit 53) submitted by the agency to OMB?\n                        Did the agency program\n                                                  Did the agency CIO plan\n         Number of      official plan and budget\n                                                      and budget for IT       Are IT security costs reported in\nBureau business cases       for IT security and\n                                                   security and integrate the agency\'s capital budget for\nName submitted to OMB integrate security into all\n                                                   security into all of their    each IT investment? Y/N\n           in FY05      of their business cases?\n                                                   business cases? Y/N\n                                    Y/N\n SSA None to date - not             Yes                      Yes                             Yes\n          due until\n       September. See\n            Note 1\n\nNote 1: The Agency has developed 16 business cases that will be submitted for FY05 cycle. Business cases for\nFY05 cycle are not due to be submitted to OMB until September. According to SSA, there were 20 business\ncases submitted in FY04 cycle.\n\n\n\nPOA&M Update \xe2\x80\x93 See OMB Steps A3 and D1\nQuarterly POA&M Updated Information                                        Programs             Systems\na. Total number of weaknesses identified at the start of the quarter.            6                   3\nb. Number of weaknesses for which corrective action was completed       1 - all others are   0 - all ongoing\non time (including testing) by the end of the quarter.                       ongoing\nc. Number of weaknesses for which corrective action is ongoing and              5                   3\nis on track to complete as originally scheduled.\nd. Number of weaknesses for which corrective action has been                    0                   0\ndelayed including a brief explanation for the delay.\ne. Number of new weaknesses discovered following the last POA&M                 0                   0\nupdate and a brief description of how they were identified (e.g.,\nagency review, IG evaluation, etc.).\n\nNote 1: The Agency has not included the date opened in the POA&Ms. Instead, it has documented the\nopening by identifying "How Identified" which can be tracked back to a specific event. The Agency is\ndeveloping a system and process that will include identifying open dates as well as other information in\naccordance with NIST guidelines. To fully comply with FISMA, the new system must be able to generate\nPOA&Ms for all issues across the Agency and it must include a verifiable remediation process. See A3 for\nPOA&M material obtained and analyzed during the course of fieldwork.\n\n\n\n\nOIG\xe2\x80\x99s Detailed Report on SSA\xe2\x80\x99s Compliance with FISMA (A-14-03-13046)                                    13\n\x0c                                        Addendum I\n\n    Accreditations for the 17 sensitive systems reviewed for FY 2003\n\n#                             System                                              Acronym\n1   Retirement, Survivors & Disability Insurance - Initial Claims      RSDI - IC\n\n2   Retirement, Survivors & Disability Insurance - Post                RSDI - PE\n    Entitlement\n3   Retirement, Survivors & Disability Insurance - Accounting          RSDI - Acct\n\n4   Recovery of Overpayments, Accounting, & Reporting                  ROAR\n    System\n5   SSN Establishment & Correction System                              Enumeration\n\n6   Earnings Record Maintenance System                                 ERMS\n\n7   Supplemental Security Income Records Maintenance                   SSIRMS\n    System\n8   Human Resources Management Info System                             HRMIS\n\n9   Debt Management System                                             DMS\n\n10 Audit Trail System                                                  ATS\n11 Death Alert Control & Update System                                 DACUS\n\n12 Financial Accounting System                                         FACTS\n13 Comprehensive Integrity Review Process                              CIRP\n\n14 Enterprise Mainframe & Distributed Network Telecom                  Network and mainframe\n   System                                                              components\n\n15 Logiplex Security System                                            Logiplex\n\n16 FALCON Data Entry System                                            FALCON\n\n17 Integrated Client Database                                          ICDB\n\n\n\n\nOIG\xe2\x80\x99s Detailed Report on SSA\xe2\x80\x99s Compliance with FISMA (A-14-03-13046)                           14\n\x0c                                    Appendices\nAPPENDIX A - Acronyms\n\nAPPENDIX B - OIG Contacts and Staff Acknowledgments\n\x0c                                                                 Appendix A\nAcronyms\n\nCY                 Calendar Year\nCIO                Chief Information Officer\nCIP                Critical Infrastructure Protection\nCOOP               Continuity of Operations Plan\nCSO                Chief Security Officer\nDDS                Disability Determination Services\nE-Government Act   Electronic Government Act of 2002\nFedCIRC            Federal Computer Incident Response Center\nFISMA              Federal Information Security Management Act\nFMS                Federal Management Services\nFY                 Fiscal Year\nGAO                General Accounting Office\nGISRA              Government Information Security Reform Act\nHHS                Department of Health and Human Services\nIG                 Inspector General\nIT                 Information Technology\nNIST               National Institute of Standards and Technology\nOCIO               Office of the Chief Information Officer\nOIG                Office of the Inspector General\nOMB                Office of Management and Budget\nOSSOM              Office of System Security Operations and Management\nOSCAR              On-site Security Control and Audit Review\nOTSO               Office of Telecommunication and System Operation\nPSC                Program Service Center\nPwC                PricewaterhouseCoopers\nPOA&M              Plan of Action and Milestones\nSDLC               Systems Development Life-Cycle\nSSA                Social Security Administration\nSSI                Supplemental Security Insurance\nVA                 Department of Veterans Affairs\n\x0c                                                                     Appendix B\n\nOIG Contacts and Staff Acknowledgments\nOIG Contacts\n\n   Kitt Winter, Director, Data Analysis and Technical Audit Division (410) 965-9702\n\n   Phil Rogofsky, Audit Manager, Network Security and Telecommunication Branch\n   (410) 965-9719\n\nAcknowledgments\n\nIn addition to the persons named above:\n\n   Mary Ellen Fleischman, Senior Program Analyst\n\n   Greg Hungerman, Senior Program Analyst\n\n   Harold Hunter, Senior Auditor\n\n   Greg Thompson, Auditor\n\n   Grace Chi, Auditor\n\n   Annette DeRito, Writer/Editor\n\x0c                            DISTRIBUTION SCHEDULE\n\nCommissioner of Social Security\nDeputy Commissioner of Social Security\nDeputy Commissioner of Systems\nDeputy Commissioner of Finance, Assessment and Management\nChief Information Officer\nDeputy Commissioner of Operations\nOffice of Management and Budget, Income Maintenance Branch\nChairman and Ranking Member, Committee on Ways and Means\nChief of Staff, Committee on Ways and Means\nChairman and Ranking Minority Member, Subcommittee on Social Security\nMajority and Minority Staff Director, Subcommittee on Social Security\nChairman and Ranking Minority Member, Subcommittee on Human Resources\nChairman and Ranking Minority Member, Committee on Budget, House of\nRepresentatives\nChairman and Ranking Minority Member, Committee on Government Reform and\nOversight\nChairman and Ranking Minority Member, Committee on Governmental Affairs\nChairman and Ranking Minority Member, Committee on Appropriations, House of\nRepresentatives\nChairman and Ranking Minority, Subcommittee on Labor, Health and Human Services,\nEducation and Related Agencies, Committee on Appropriations,\n House of Representatives\nChairman and Ranking Minority Member, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Subcommittee on Labor, Health and Human\nServices, Education and Related Agencies, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Committee on Finance\nChairman and Ranking Minority Member, Subcommittee on Social Security and Family\nPolicy\nChairman and Ranking Minority Member, Senate Special Committee on Aging\nSocial Security Advisory Board\n\x0c              Overview of the Office of the Inspector General\n\n                                       Office of Audit\nThe Office of Audit (OA) conducts comprehensive financial and performance audits of\nthe Social Security Administration\xe2\x80\x99s (SSA) programs and makes recommendations to\nensure that program objectives are achieved effectively and efficiently. Financial audits,\nrequired by the Chief Financial Officers\' Act of 1990, assess whether SSA\xe2\x80\x99s financial\nstatements fairly present the Agency\xe2\x80\x99s financial position, results of operations and cash\nflow. Performance audits review the economy, efficiency and effectiveness of SSA\xe2\x80\x99s\nprograms. OA also conducts short-term management and program evaluations focused\non issues of concern to SSA, Congress and the general public. Evaluations often focus\non identifying and recommending ways to prevent and minimize program fraud and\ninefficiency, rather than detecting problems after they occur.\n\n                              Office of Executive Operations\nOEO supports the OIG by providing information resource management; systems\nsecurity; and the coordination of budget, procurement, telecommunications, facilities\nand equipment, and human resources. In addition, this office is the focal point for the\nOIG\xe2\x80\x99s strategic planning function and the development and implementation of\nperformance measures required by the Government Performance and Results Act.\nOEO is also responsible for performing internal reviews to ensure that OIG offices\nnationwide hold themselves to the same rigorous standards that we expect from SSA,\nas well as conducting investigations of OIG employees, when necessary. Finally, OEO\nadministers OIG\xe2\x80\x99s public affairs, media, and interagency activities, coordinates\nresponses to Congressional requests for information, and also communicates OIG\xe2\x80\x99s\nplanned and current activities and their results to the Commissioner and Congress.\n\n                               Office of Investigations\nThe Office of Investigations (OI) conducts and coordinates investigative activity related\nto fraud, waste, abuse, and mismanagement of SSA programs and operations. This\nincludes wrongdoing by applicants, beneficiaries, contractors, physicians, interpreters,\nrepresentative payees, third parties, and by SSA employees in the performance of their\nduties. OI also conducts joint investigations with other Federal, State, and local law\nenforcement agencies.\n\n                         Counsel to the Inspector General\nThe Counsel to the Inspector General provides legal advice and counsel to the\nInspector General on various matters, including: 1) statutes, regulations, legislation,\nand policy directives governing the administration of SSA\xe2\x80\x99s programs; 2) investigative\nprocedures and techniques; and 3) legal implications and conclusions to be drawn from\naudit and investigative material produced by the OIG. The Counsel\xe2\x80\x99s office also\nadministers the civil monetary penalty program.\n\x0c'